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Abstract. ATL is a temporal logic geared towards the specification and verification of 
properties in multi-agents systems. It allows to reason on the existence of strategies for 
coalitions of agents in order to enforce a given property. In this paper, we first precisely 
characterize the complexity of ATL model-checking over Alternating Transition Systems 
and Concurrent Game Structures when the number of agents is not fixed. We prove that 
it is A2- and A3-complete, depending on the underlying multi-agent model (ATS and CGS 
resp.). We also consider the same problems for some extensions of ATL. We then consider 
expressiveness issues. We show how ATS and CGS are related and provide translations 
between these models w.r.t. alternating bisimulation. We also prove that the standard 
definition of ATL (built on modalities "Next", "Always" and "Until") cannot express the 
duals of its modalities: it is necessary to explicitely add the modality "Release". 



1. Introduction 



Model checking. Temporal logics were proposed for the specification of reactive systems 
almost thirty years ago |CE8H lPnu77[ mS82| . They have been widely studied and success- 
fully used in many situations, especially for model checking — the automatic verification 
that a finite-state model of a system satisfies a temporal logic specification. Two flavors 
of temporal logics have mainly been studied: linear-time temporal logics, e.g. LTL [Pnu77j . 
which expresses properties on the possible executions of the model; and branching-time tem- 
poral logics, such as CTL |CE8H |QS82| , which can express requirements on states (which 
may have several possible futures) of the model. 
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Alternating-time temporal logic. Over the last ten years, a new flavor of temporal logics 
has been defined: alternating-time temporal logics (ATL) |AHK97 ]. ATL is a fundamental 
logic for verifying properties in synchronous multi- agent systems, in which several agents 
can concurrently act upon the behavior of the system. This is particularly interesting for 
modeling control problems. In that setting, it is not only interesting to know if something 
can arrive or will arrive, as can be expressed in CTL or LTL, but rather if some agent(s) 
can control the evolution of the system in order to enforce a given property. 

The logic ATL can precisely express this kind of properties, and can for instance state 
that "there is a strategy for a coalition A of agents in order to eventually reach an accepting 
state, whatever the other agents do". ATL can be seen as an extension of CTL; its formu- 
lae are built on atomic propositions and boolean combinators, and (following the seminal 
papers |AHK971 [AHK981 I^K 02]) on modalities {{A))Xip (coalition A has a strategy to 
immediately enter a state satisfying ip), ((A)) G if (coalition A can force the system to always 
satisfy 93) and ((A)) (p\J ip (coalition A has a strategy to enforce ipJJ ^p). 

Multi-agent models. While linear- and branching-time temporal logics are interpreted on 
Kripke structure, alternating-time temporal logics are interpreted on models that incorpo- 
rate the notion of multiple agents. Two kinds of synchronous multi-agent models have been 
proposed for ATL in the literature. First Alternating Transition Systems (ATSs) (AHK98] 
have been defined: in any location of an ATS, each agent chooses one move, i.e., a subset of 
locations (the list of possible moves is defined explicitly in the model) in which she would 
like the execution to go to. When all the agents have made their choice, the intersection 
of their choices is required to contain one single location, in which the execution enters. In 
the second family of models, called Concurrent Game Structures (CGSs) [AHK02j . each of 
the n agents has a finite number of possible moves (numbered with integers), and, in each 
location, an n-ary transition function indicates the state to which the execution goes. 

Our contributions. First we precisely characterize the complexity of the model checking 
problem. The original works about ATL provide model-checking algorithms in time 0{m-l), 
where m is the number of transitions in the model, and / is the size of the formula [AHK98[ 
IAHK02) . thus in PTIME. However, contrary to Kripke structures, the number of transitions 
in a CGS or in an ATS is not quadratic in the number of states [AHK02j . and might even be 
exponential in the number of agents. PTIME-completeness thus only holds for ATS when the 
number of agents is bounded, and it is shown in jJDOSt IJD06j that the problem is strictl}0 
harder otherwise, namely NP-hard on ATS and 5l2-hard on CGSs where the transition 
function is encoded as a boolean function. We prove that it is in fact Ag-complete and A3- 
complete, resp. We also precisely characterize the complexity of model-checking classical 
extensions of ATL, depending on the underlying family of models. 

Then we address expressiveness questions. First we show how ATSs and CGSs are 
related by providing translations between these models. Moreover we consider expressive- 
ness questions about ATL modalities. While in LTL and CTL, the dual of "Until" modality 
can be expressed as a disjunction of "always" and "until", we prove that it is not the case 
in ATL. In other words, ATL, as defined in [AHK97t IAHK981 lAHK02j . is not as expressive 

"'^We adopt the classical hypothesis that the polynomial-time hierarchy does not collapse, and that 
PTIME / NP. We refer to 'Pap94' for the definit ions about complexity classes, especially about oracle 
Turing machines and the polynomial-time hierarchy. 
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as one could expect (while the dual modalities clearly do not increase the complexity of the 
verification problems). 

Related works. In |AHK981[CTK02] . ATL has been defined and studied over ATSs and CGSs 
In [IIRS02J . expressiveness issues are considered for ATL* and ATL. Complexity of satisfia- 
bility is addressed in |GvD061 IWLWW06] . Complexity results about model checking (for 
ATL, ATL"*", ATL*) can be found in |AHK02l ISch04| . Regarding control- and game theory, 
many papers have focused on this wide area; we refer to |Wal04) for a survey, and to its 
numerous references for a complete overview. 

Plan of the paper. Section [2] contains the formal definitions needed in the sequel. Sec- 
tion [3] deals with the model-checking questions and contains algorithms and complexity 
analysis for ATSs and CGSs. Section S] contains our expressiveness results: we first prove 
that ATSs and CGSs have the same expressive power w.r.t. alternating bisimulation (i.e., 
any CCS can be translated into an equivalent ATS, and vice- versa). We then present our 
expressiveness results concerning ATL modalities. 

2. Definitions 

2.1. Concurrent Game Structures. Concurrent game structures are a multi-player ex- 
tension of classical Kripke structures |AIIK02 ] . Their definition is as follows: 

Definition 2.1. A Concurrent Game Structure (CGS for short) C is a 6-tuple (Agt, Loc, 
AP, Lab, Mov, Edg) where: 

• Agt = {^1, ...,Af:} is a finite set of agents (or players); 

• Loc and AP are two finite sets of locations and atomic propositions, resp.; 

• Lab: Loc — > 2^^ is a function labeling each location by the set of atomic propositions 
that hold for that location; 

• Mov: Loc X Agt — > 'P(N) \ {0} defines the (finite) set of possible moves of each agent in 
each location. 

• Edg: Loc X N'^ — > Loc, where k = |Agt|, is a (partial) function defining the transition 
table. With each location and each set of moves of the agents, it associates the resulting 
location. 

The intended behaviour is as follows [AHK02j : in a location i, each player Ai chooses 
one possible move m^. in Mov(^, Ai) and the next location is given by Edg(^, niAi , iTiAk)- 
We write Next(^) for the set of all possible successor locations from i, and Next{£, Aj ,m), 
with m G Mov(f, Aj), for the restriction of Next(^) to locations reachable from i when 
player Aj makes the move m. 

The way the transition table Edg is encoded has not been made precise in the original 
definition. Following the remarks of [JD05] . we propose two possible encodings: 

Definition 2.2. 

• An explicit CGS is a CGS where the transition table is defined explicitly. 
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• An implicit CGS is a CGS where, in each location the transition function is defined by 
a finite sequence (((/7o;^o)i •••) ifn,(^n))i where £i € Loc is a location, and ipi is a boolean 
combination of propositions Aj = c that evaluate to true iff agent Aj chooses move c. The 
transition table is then defined as follows: Edg(^, myi^, ...,m^j,) = ij iff j is the lowest 
index s.t. ipj evaluates to true when players Ai to choose moves tuai mA^.- We 
require that the last boolean formula (pn be T, so that no agent can enforce a deadlock. 

Besides the theoretical aspect, the implicit description of CGSs may reveal useful in 
practice, as it allows to not explicitly describe the full transition table. 

The size \C\ of a CGS C is defined as |Loc| + |Edg|. For explicit CGSs, |Edg| is the size 
of the transition table. For implicit CGSs, |Edg| is the sum of the sizes of the formulas used 
for the definition of Edg. 

2.2. Alternating Transition Systems. In the original works about ATL jAHK97| . the 

logic was interpreted on ATSs, which are transition systems slightly different from CGSs: 

Definition 2.3. An Alternating Transition System {ATS for short) ^ is a 5-tuple (Agt, Loc, 
AP, Lab, Mov) where: 

• Agt, Loc, AP and Lab have the same meaning as in CGSs; 

• Mov: Loc X Agt V{'P{\-OC)) associate with each location i and each agent a the set of 
possible moves, each move being a subset of Loc. For each location i, it is required that, 
for any Qi € Mov(^, Ai), nj<fc Qi be a singleton. 

The intuition is as follows: in a location £, once all the agents have chosen their moves 
(i.e., a subset of locations), the execution goes to the (only) state that belongs to all the sets 
chosen by the players. Again Next(£) (resp. Next{£, Aj,m)) denotes the set of all possible 
successor locations (resp. the set of possible successor locations when player Aj chooses the 
move m). 

The size of an ATS is |Loc| + |Mov| where |Mov| is the sum of the number of locations 
in each possible move of each agent in each location. 

We prove in Section 14.11 that CGSs and ATSs have the same expressiveness (w.r.t. al- 
ternating bisimilarity | AHK V98] ) . 

2.3. Coalition, strategy, outcomes of a strategy. A coalition is a subset of agents. 
In multi-agent systems, a coalition A plays against its opponent coalition Agt \ A as if they 
were two single players. We thus extend Mov and Next to coalitions: 

• Given A C Agt and I G Loc, Mov(^, A) denotes the possible moves for the coalition A 
from i. Such a move m is composed of a single move for every agent of the coalition, 

that is m =^ {ma)a£A- Then, given a move m' G Mov(^, Agt\A), we use m©m' to denote 
the corresponding complete move (one for each agent). In ATSs, such a move m ® m' 
corresponds to the unique resulting location; in CGSs, it is given by Edg(^, m m'). 

• Next is extended to coalitions in a natural way: given m = {ma)a&A £ Mov(£, A), we let 
Next(£, A, m) denote the restriction of Next(£) to locations reachable from i when every 
player Aj G A makes the move ruAy 

Let 5 be a CGS or an ATS. A computation of S is an infinite sequence p = £q£i ■ ■ ■ 
of locations such that for any i, ii^i £ Next(£j). We write p[i] for the i + 1-st location £j. 
A strategy for a player Aj € Agt is a function that maps any finite prefix of a computation 
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to a possible move for Ai, i.e., satisfying fAii^o • • ■ ^m) G Mov(^m,^i)- A strategy is state- 
based (or memoryless) if it only depends on the current state {i.e., fAii^o " " "^m) = fAX^m))- 
A strategy induces a set of computations from £ — called the outcomes of /^^ from t and 
denotecd Ou\.s{l, fAi) — that player Ai can enforce: £0^1 ■ ■ ■ S 0ut5(£, /yi.) iS i = £0 and 
for any i we have ^j+i G Next(£j, Aj, /y^. (£0 ■ ■ '^i))- Given a coalition A C Agt, a strategy 
for ^ is a tuple Fa containing one strategy for each player in A: Fa = {/a^Aj G A}. 
The outcomes of Fa from a location £ contains the computations enforced by the strategies 
in Fa: £o£i • • • G Out5(^, Fa) iS£ = £o and for any i, £i+i G Next(£i, A, (/„(£o, • • • , £i))aeA). 
The set of strategies for A is denoted^ Strata (A). Finally, note that F0 is empty and 
Outs{£, 0) represents the set of all computations from £. 

2.4. The logic ATL. We now define the logic ATL, whose purpose is to express controllabil- 
ity properties on CGSs and ATSs. Our definition is slightly different from the one proposed 
in |AHK02j . This difference will be explained and argued in Section 14. 2[ 

Definition 2.4. The syntax of ATL is defined by the following grammar: 
PJLb ^ps,^ps ::= T | P | -^ips \ (fs^i's \ i^)) 
fp ::= -^fp I ^<fs I <fs'^ips 
where P ranges over the set AP and A over the subsets of Agt. 

Given a formula (p G ATL, the size of (p, denoted by \(p\, is the size of the tree representing 
that formula. The DAG-size of (p is the size of the directed acyclic graph representing that 
formula (i.e., sharing common subformulas). 

In addition, we use standard abbreviations such as T, _L, F , etc. ATL formulae are 
interpreted over states of a game structure S. The semantics of the main operators is 
defined as follows^: 

£ {{A} ifp iff 3Fa G Strat(^). Vp G Out(£, Fa), p N ^p, 

p^sXips iff p[l\ \=s ps, 

p \=s p>s^-^s iff 3i. p[i] 1=5 and VO < j < i. [=5 pig. 

It is well-known that, for the logic ATL, it is sufficient to restrict to state-based strate- 
gies {i.e., {{A)) (pp is satisfied iff there is a state-based strategy all of whose outcomes sat- 
isfy y^p) |AHK02[[Sch04] . 

Note that ((0)) corresponds to the CTL formula Apip [i.e., universal quantification 
over all computations issued from the current state) , while ((Agt)) corresponds to ex- 
istential quantification 'Eiipp. However, ((A)) (pp is generally not equivalent to ((Agt \ 
A)j -^(pp |AIIK02t IGvD06j : indeed the absence of a strategy for a coalition A to ensure ip 
does not entail the existence of a strategy for the coalition Agt\A to ensure -^p:. For in- 
stance. Fig. [1] displays a (graphical representation of a) 2-player CGS for which, in £q, both 
-1 ((Ai)) Xp and ((^2)) ~'Xp hold. In such a representation, a transition is labeled with 
{1711,1712) when it corresponds to move mi of player Ai and to move m2 of player A2. Fig. [2] 
represents an "equivalent" ATS with the same property. 



'We might omit to mention 5 when it is clear from the context. 
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lOC={io,h,i2,i'l,i2} 
M0V(4,Ai) = {{^l,^;},{^2,4}} 

Mov(£o,A2) = {{£i,4},{^2,^'i}} 

fLab(^i) = Lab(£2) = M 
\Lab(fi) = Lab(4) = 

Figure 2: An ATS that is not determined. 

3. Complexity of ATL model-checking 

In this section, we estabhsh the precise complexity of ATL model-checking. This issue 
has already been addressed in the seminal papers about ATL, on both ATSs |AHK98j 
and CGSs |AHK02j . The time complexity is shown to be in 0{m ■ I), where m is the 
number of transitions and I is the size of the formula. The authors then claim that the 
model-checking problem is in PTIME (and obviously, PTIME-complete, since it is already 
for CTL). In fact this only holds for explicit CGSs. In ATSs, the number of transitions 
might be exponential in the size of the system (more precisely, in the number of agents). 
This problem — the exponential blow-up of the number of transitions to handle in the 
verification algorithm — also occurs for implicit CGSs: the standard algorithms running 
in 0{m ■ I) require exponential time. 

Basically, the algorithm for model-checking ATL is similar to that for CTL: it consists 
in recursively computing fixpoints, based e.g. on the following equivalence: 

{{A))p\Jq^fiZ.{qy{pA {{A))XZ)) (3.1) 

The difference with CTL is that we have to deal with the modality ((j4)) X — corresponding 
to the pre-image of a set of states for some coalition — instead of the standard modality EX . 
In control theory, ((j4)) X corresponds to the controllable predecessors of a set of states for 
a coalition: CPre{A, S), with A C Agt and S Q Loc, is defined as follows: 

CPre{A, S) = {£ G Loc | 3mA e Mov(^, A) s.t. Next(^, A, itia) ^ S} 

The crucial point of the mo del- checking algorithm is the computation of the set CPre{A, S). 

In the sequel, we establish the exact complexity of computing CPre (more precisely, 
given A C Agt, S C Loc, and £ G Loc, the complexity of deciding whether £ G CPre{A, S)), 
and of ATL model-checking for our three kinds of multi-agent systems. 




Figure 1: A CGS that is not determined. 



3.1. Model checking ATL on explicit CGSs. As already mentionned, the precise com- 
plexity of ATL model-checking over explicit CGSs was established in [AHK02) : 

Theorem 3.1. ATL model- checking over explicit CGSs is PT\ME- complete. 

To our knowledge, the precise complexity of computing CPre in explicit CGSs has 
never been considered. The best upper bound is PTIME, which is sufficient for deriving the 
PTIME complexity of ATL model-checking. 

In fact, given a location £, a set of locations S and a coalition A, deciding whether 
£ G CPre{A, S) has complexity much lower than PTIME: 

Proposition 3.2. Computing CPre in explicit CGSs is in AC^ . 
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Proof. We begin with precisely defining how the input is encoded as a sequence of bits: 

• the first |Agt| bits define the coahtion: the i-th bit is a 1 iff agent Ai belongs to A; 

• the following |Loc| bits of input define the set S; 

• for the sake of simplicity, we assume that all the agents have the same number of moves in £. 
We write p for that number, which we assume is at least 2. The transition table Edg(£) 
is then given as a sequence of sets of log(|Loc|) bits. 

As a first step, it is rather easy to modify the input in order to have the following form: 

• first the k bits defining the coalition; 

• then, a sequence of p^ bits defining whether the resulting state belongs to S. 
This is achieved by p^ copies of the same AC" circuit. 

We now have to build a circuit that will "compute" whether coalition A has a strategy 
for ending up in S. Since circuits must only depend on the size of the input, we cannot 
design a circuit for coalition A. Instead, we build one circuit for each possible coalition 
(their number is exponential in the number of agents, but polynomial in the size of the 
input, provided that p >2), and then select the result corresponding to coalition A. 

Thus, for each possible coalition B, we build one circuit whose final node will evaluate 
to 1 iff £ € CPre{B,S). This is achieved by an unbounded fan-in circuit of depth 2: 
at the first level, we put p'^' AND-nodes, representing each of the p'^' possible moves for 
coalition B. Each of those nodes is linked to p'^"!^! bits of the transition table, corresponding 
to the set of possible p'^"!^! moves of the opponents. At the second level, an OR-node is 
linked to all the nodes at depth 1. 

Clearly enough, the OR-node at depth 2 evaluates to true iff coalition B has a strategy 
to reach S. Moreover, there are (^) coalitions of size I, each of which is handled by a circuit 
of + 1 nodes. The resulting circuit thus has {p + 1)*^ + 2^^ nodes, which is polynomial in 
the size of the input. This circuit is thus an AC" circuit. 

It simply remains to return the result corresponding to the coalition A. This is easily 
achieved in AC". □ 



3.2. Model checking ATL on implicit CGSs. Assuming that the transitions issued 
from i are given — in the transition table — by the sequence {{ipo,io), {ifi,£i), . . . , {ifn,£n)), 
we have: £ G CPre(A, S) iff there exists uia G Mov(£, A), s.t. there is no G Mov(^, Agty^d) 
and £i G Loc\S' s.to ipi[mA © rn^] = T and (pj[mA © m^] = _L for any j < i. Thus we look 
for a move uia G Mov(^, A) s.t. for all G Mov(^, A), the negation of V£igLoc\5('/'j["^A] A 
Aj<i-V'iM) holds. 

This problem corresponds to an instance of the Z2 -complete problem EQSAT2: 
EQSAT2: 

Input:: two families of variables X = {x^, and Y = {y^, a boolean 

formula ip on the set of variables X UY. 
Output:: True iff 3X. VY. if. 

And indeed, as a direct corollary of [JDOS^ Lemma 1], we have: 

■^Given m — {ma)aeA for A C Agt, flm] denotes the formula where every proposition " Aj — c" with 
Aj G A is replaced by T if rriAj ~ c, and by _L otherwise. If ^ = Agt, 95 [m] is boolean expression. 
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Proposition 3.3. Computing CPre in implicit CGSs is Y.^-complete. 

Proof. The membership in follows directly the above remarks. A Y.2 procedure is ex- 
plicitly described in Algorithm [TJ 

Procedure co-strategy(g, {(pi,ii)i, (ma)„g^, S) 

//checks if the opponents have a co-strategy to {ma)aeA to avoid S 
begin 

foreach a ^ A do 

\_ ma<^ guess{q,a); 
i <- 0; 

vi^hile ->Lpi{ma,ma) do 

L + 

if ^ 5 then 
|_ return yes] 

else 
|_ return no; 

end 

Procedure CPre(^, S) begin 
W ^0- 

foreach g € C do 
foreach a € ^ do 

\_'ma^ guess{q,a); 

if not co-strategy fig, i(pi,ii)i, (ma)^g^, S) then 
L W ^WU{q}] 

return W; 
end 

Algorithm 1: Computing CPre on implicit CGS. 

Concerning hardness in > directly use the construction of |JD05t Lemma 1] : from 
an instance 3X. \/Y. ip of EQSAT2, one consider an implicit CGS with three states qi, q-j 
and q±, and 2n agents A^, A", B^, i?", each having two possible choices in qi and only 
one choice in qj and q±. The transitions out of qj and q± are self-loops. The transitions 

from qi are given by: 6{qi) = {{ip[x^ ^ {A^ = l),y^ ^ {B^ = 1)], gT)(T, ^.l)). 

Then clearly, qi belongs to CPre{{A^ , A"-}, {qj}) iff there exists a valuation for 
variables in X s.t. 99 is true whatever S-agents choose for Y. □ 

The complexity of ATL model checking over implicit CGS is higher: the proof of 5I2- 
hardness of CPre{A, S) can easily be adapted to prove fig-hardness. Indeed consider the 
dual (thus rig -complete) problem AQSAT2, in which, with the same input, the output is 
the value of VX. 31". ip. Then it suffices to consider the same implicit CGS, and the formula 
-1 ([A^, ...,^")) X-iQ'T. It states that there is no strategy for players A^ to A^ to avoid qj: 
whatever their choice, players B^ to -B" can enforce 

This contradicts the claim in |JD05| that model checking ATL would be Zg-complete. 
In fact there is a flaw in their algorithm about the way it handles negation (and indeed 
their result holds only for the positive fragment of ATL [JD08| ): games played on CGSs 
(and ATSs) are generally not determined, and the fact that a player has no strategy to 
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enforce 99 does not imply that the other players have a strategy to enforce -k/j. It rather 
means that the other players have a co-strategy to enforce ^ip (by a co-strategy, we mean a 
way to react to each move of their opponents |GvD06] ). 

Still, using the expression of ATL modalities as fixpoint formulas (see Eq. (13. ip ). we can 
compute the set of states satisfying an ATL formula by a polynomial number of computations 
of CPre, which yields a A3 algorithm: 

Proposition 3.4. Model checking ATL on implicit CGSs is in A3 . 

Note that, since the algorithm consists in labeling the locations with the subformulae 
it satisfies, that complexity holds even if we consider the DAG-size of the formula. 

To prove hardness in A3, we introduce the following A3 -complete problem [LMSOU 
[SAOij . 

SNSAT2: 

Input:: m families of variables Xi = m families of variables Yi = 

{y^^, y"}, m variables Zj, m boolean formulae ipi, with ipi involving variables 
in XiUYiU {zi, ...,Zi^i}. 

Output:: The value of z^, defined by 

r Zl = 3x1. vn. v?i(Xi,yi) 
I Z2 = 3x2. vy2. ^^2(^1, ^2,12) 

And we have: 

Proposition 3.5. Model checking ATL on implicit CGSs is A^-hard. 

Proof. We pick an instance I of SNSAT2, and reduce it to an instance of the ATL model- 
checking problem. Note that such an instance uniquely defines the values of variables Zi. 
We write vj: {zi, ...,Zm} — > {T,_L} for this valuation. Also, when vj{zi) = T, there exists 
a witnessing valuation for variables in Xj. We extend vj to {zi, Zm} U |Jj Xi, with vx{xl) 
being a witnessing valuation if vj{zi) = T. 

We now define an implicit COS C as follows: it contains mn agents Aj (one for each x^), 
mn agents (one for each yj), m agents Cj (one for each Zj), and one extra agent D. 
The structure is made of m states qi, m states gj, m states Si, and two states qt and q±. 
There are three atomic propositions: sy and s±, that label the states qj and qj_ resp., and 
an atomic proposition s labeling states Sj. The other states carry no label. 

Except for D, the agents represent booleans, and thus always have two possible choices 
(0 and 1). Agent D always has m choices (0 to m — 1). The transition relation is defined 
as follows: for each i, 

yi^iBill),z,^iC, = l)],qT) 

((D = k) A {Ck = 1), qk) for each k < i 
{{D = k) A {Ck = 0),qk) for each k < i 
(T,(?t) / 



'5(g^) = ((T,s.)); 

6{si) = {{T,qi)y, 

%T) = ((T,gT)); 
%±) = ((T,gx)); 
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Intuitively, from state qi, the boolean agents chose a valuation for the variable they represent, 
and agent D can either choose to check if the valuation really witnesses <pi (by choosing 
move 0), or "challenge" player C^, with move k < i. 
The ATL formula is built recursively as follows: 



V^fc+i = ((AC)) i^s) U [qr V EX (s A EX -Vfc)) 

where AC stands for the coalition {A\, A!^, Ci, Cm}- 

Let fi{A) be the state-based strategy for agent A S AC that consists in playing accord- 
ing to the valuation vj {i-e. move if the variable associated with A evaluates to in vj, 
and move 1 otherwise). The following lemma completes the proof of Proposition 13.51 

Lemma 3.6. For any i < m and k > i, the following three statements are equivalent: 

(a) C,qi \= ipk; 

(b) the strategies fx witness the fact that C,qi \= ipki 

(c) variable Zi evaluates to T in vj. 

Proof. Clearly, implies 1^. We prove that 1^ implies and that ^ implies by 
induction on i. 

First assume that qi \= ipj, for some j > 1. Since only qj and q± are reachable from qi, 
we have qi \= ((AC)) X qj. We are (almost) in the same case as in the reduction of |JD05| : 
there is a valuation of the variables x} to x" s.t., whatever players D and Bl to B^^ decide, 
the run will end up in q-j. This holds in particular if player D chooses move 0: for any 
valuation of the variables y| to y", V'i(^i>^i) holds true, and zi evaluates to true in vj- 

Secondly, if zi evaluates to true, then vx{x\), wx(x^) are such that, whatever the 
value of y| to , ipi holds true. If players A\ to A^ play according to fx, then players D 
and Bl to i?" cannot avoid state qj, and qi \= ((AC)) Xgy, thus also ipk when k > 1. 

We now assume the result holds up to index i > 1, and prove that it also holds at 
step i + 1. Assume g^j+i \= Tpk+i, with k > i. There exists a strategy witnessing Vfc+i; 
i.e., s.t. all the outcomes following this strategy satisfy (-is) U (gy V EX (s A EX-i-f/^fc)). 
Depending on the move of player D in state qi+i, we get several informations: first, if 
player D plays move /, with 1 < I < i, the play goes to state qi or ql, depending on the 
choice of player Ci. 

• if player Ci chose move 0, the run ends up in g[. Since the only way out of that state is 
to enter state si, labeled by s, we get that qi \= EX (s A EX-i'i/'fc), i.e., that qi \= ^il^k- 
By i.h., we get that zi evaluates to false in our instance of SNSAT2. 

• if player C; chose move 1, the run goes to qi. In that state, players in AC can keep on 
applying their strategy, which ensures that qi \= tpk+ii and, by i.h., that zi evaluates to 
true in I. 

Thus, the strategy for AC to enforce V'fc+i in Qi+i requires players Ci to Ci to play according 
to vx and the validity of these choices can be verified by the "opponent" D. 

Now, if player D chooses move 0, all the possible outcomes will necessarily immediately 
go to qT (since tpk+i holds, and since q± ^ EX (s A EX-i-i/'fc))- We immediately get that 
players -B^+i to -B^Yi cannot make ipi+i false, hence that Zj+i evaluates to true in I. 

Secondly, if Zj+i evaluates to true, assume players in AC play according to fx, and 
consider the possible moves of player D: 
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• if player D chooses move 0, since Zj+i evaluates to true and since players Ci to d and 
AI_^_^ to ^"^.1 have played according vj, there is no way for player Bl_^_-^ to to avoid 
state qt- 

• if player D chooses some move I between 1 and i, the execution will go into state qi or qi, 
depending on the move of C;. 

— if Ci played move 0, i.e., if zi evaluates to false in vj, the execution goes to state ql, 
and we know by i.h. that qi \= ^Tpk- Thus ql \= EX (s A EX-i'^fc), and the strategy 
still fulfills the requirement. 

— if Ci played move 1, i.e., if zi evaluates to true, then the execution ends up in state qi, 
in which, by i.h., the strategy fi enforces tpk+i- 

• if player D plays some move I with I > i, the execution goes directly to qj, and the 
formula is fulfilled. □ 

With Proposition 13.41 this implies: 

Theorem 3.7. Model checking ATL on implicit CGSs is -complete. 



3.3. Model checking ATL on ATSs. For ATSs also, computing CPre (and thus model- 
checking ATL) cannot be achieved in PTIME. A direct corollary of |JD05t Lemma 4] is: 

Proposition 3.8. Computing CPre in ATSs is NP-complete. 

Proof. Algorithm [2] shows how to compute CPre in NP in ATSs: it amounts to guessing 
a move for each player in the coalition, and to check whether the resulting possible next 
states are all in S. 

Procedure CPre(^, S) begin 

W ^ 0; 

foreach g € C do 
foreach a € ^ do 

//Guess a move for player a from a state q 

\_ nia^ guess{q,a); 
if Pi TUa C S then 

L W ^WU{q}; 

return W; 
end 

Algorithm 2: Computing CPre for ATS 

Again, NP-hardness follows from [JD051 Lemma 4]. We propose here a slightly different 
proof, that will be a first step to the A2-hardness proof below. 

The proof is a direct reduction from 3SAT: let 2 = {S^, 5") be an instance of 3SAT 
over variables X = {x^, x™'}. We assume that = a-^'^s-''"'^ Va-^'^s-^'^ Va-^'^s-^'^ where s-''^ € 
X and a^'^ G {0, 1} indicates whether variable s^'^ is taken negatively (0) or positively (1). 
We assume without loss of generality that no clauses contain both one proposition and its 
negation. 

With such an instance, we associate the following ATS A. It contains 8n + 1 states: one 
state q, and, for each clause 5-^ , eight states q^'^ to q^''^. Intuitively, the state q^'^ corresponds 
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to a clause B^''' = kis^'^ V k2S^''^ V kss^'^, where kik2ks corresponds to the binary notation 
for k. There is only one atomic proposition a in our ATS: a state g-''^ is labeled with a iff 
it does not correspond to clause . By construction, for each j, only one of the states q^'^ 
to g-^'^ is not labeled with a. 

There are m + 1 players, where m is the number of variables that appear in I. With 
each X* is associated a player A^. The extra player is named D. Only the transitions from q 
are relevant for this reduction. We may assume that the other states only carry a self-loop. 
In q, player decides the value of x*. She can thus choose between two sets of next states, 
namely the states corresponding to clauses that are not made true by her choice: 





< 3. s^'' / x' or a*'' 


= 0} if x' 


= T 




yi < 3. s^'' / x' or a*'' 


= 1} if x' 


= _L 


Last, player D has 


n choices, namely {q^'^, ... 


,q'''} to 





We first prove the singleton requirement for ATSs' transitions: the intersections of the 
choices of the agents must be a singleton. Once players to A™ have chosen their moves, 
all the variables have been assigned a value. Under that valuation, for each j < n, exactly 
one clause among B^''^ to i?-''^ evaluates to false (thanks to our requirement that a literal 
cannot appear together with its negation in the same clause). Intersecting with the choice 
of player D, we end up with one single state (corresponding to the only clause, among those 
chosen by D, that evaluates to false). 

Now, let if = ((vl^, A^)) X a. That q \= indicates that players A^ to A^ can choose 
a valuation for x^ to s.t. player D will not be able to find a clause of the original instance 
{i.e., not labeled with a) that evaluates to false (i.e., that is not made true by any of the 
choices of the players A^ to A"^). In that case, the instance is satisfiable. Conversely, if the 
instance is satisfiable, it suffices for the players A^ to A^ to play according to a satisfying 
valuation of variables x^ to x™. Since this valuation makes all the original clauses true, it 
yields a strategy that only leads to states labeled with a. □ 

As in the case of implicit CGSs, we combine the fixpoint expressions of ATL modalities 
together with the NP algorithm for computing CPre. This yield a algorithm for full ATL: 

Proposition 3.9. Model checking ATL over ATSs is in A2 . 

This turns out to be optimal: 

Proposition 3.10. Model checking ATL on ATSs is /^^-hard. 

Proof. The proof is by a reduction of the A2 -complete problem SNSAT [LMSOlj : 
SNSAT: 

Input:: p families of variables Xj. = {x]., x™}, p variables z^, p boolean formulae 

(fr in 3-CNF, with ip^ involving variables in U {zi, Zr-i}. 
Output:: The value of Zp, defined by 





def 


3X1. 


V'i(^i) 


Z2 


def 


3X2. 


V32(^;i,X2) 


zz 


def 


3X3. 


ip^{zi,,Z2,X^) 


Zp 


def 


3Xp. 


ipp{zi, Zp-i,Xp 
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Let X be an instance of SNSAT, where we assume that each ipr is made of n clauses 
S}. to SJ!*, with si = a^r^ s'r^ V a'r'^si''^ V c4-'^si'^. Again, such an instance uniquely defines 
a valuation vj for variables zi to Zr , that can be extended to the whole set of variables by 
choosing a witnessing valuation for x}. to when Zr evaluates to true. 

We now describe the ATS A: it contains (8n + 3)p states: 

• p states Tj^ and p states qr, 

• p states Sr, 

• and for each formula ipr, for each clause of (fr, eight states g^'*^, g^'^, as in the 
previous reduction. 

States Sr are labelled with the atomic proposition s, and states qi'^ that do not correspond 
to clause Sr are labeled with a. 

There is one player Ai for each variable xi, one player Cr for each Zr, plus one extra 
player D. As regards transitions, there are self-loops on each state qi'^, single transitions 
from each g7 to the corresponding Sr, and from each Sr to the corresponding g^. From 
state qr, 

• player Ai will choose the value of variable xi, by selecting one of the following two sets 
of states: 

{qf''' I V/ < 3. s^-' / xi or a^/ = 0} U {qt,q-t \ t < r} if ^ = T 

{q?''' I VZ < 3. s^.'^ + xi or a^'' = 1} U {qt,q-t \ t < r} if ^ = ^ 

Both choices also allow to go to one of the states qt or gt. In qr, players Al with t ^ r 
have one single choice, which is the whole set of states. 

• player Ct also chooses for the value of the variable it represents. As for players Aj., this 
choice will be expressed by choosing between two sets of states corresponding to clauses 
that are not made true. But as in the proof of Prop. 13.51 players Ct will also offer the 
possibility to "verify" their choice, by going either to state qt or q^. Formally, this yields 
two sets of states: 

{q^r'" I V/ < 3. s^/ + Zt or a^'' = 0} U | n / t} U {qt} if = T 

{ql^^ I W < 3. + Zt or a^'' = 1} U | n / t} U {g^} \izt = \. 

• Last, player D chooses either to challenge a player Ct, with t < r, by choosing the set 
{_qt,'qt\, or to check that a clause Si is fulfilled, by choosing {g^'*^, ...,g^'''}. 

Let us first prove that any choices of all the players yields exactly one state. It is obvious 
except for states qr- For a state qr, let us first restrict to the choices of all the players A'r 
and Cr, then: 

• if we only consider states (^'^ to g" the same argument as in the previous proof ensures 
that precisely on state per clause is chosen, 

• if we consider states qt and , the choices of players Bt ensure that exactly one state has 
been chosen in each pair {gt,gt}, for each t < r. 

Clearly, the choice of player D will select exactly one of the remaining states. 

Now, we build the ATL formula. It is a recursive formula (very similar to the one 
used in the proof of Prop. 13. Sp . defined by Vo = T and (again writing AC for the set of 
players {A\, A;^,Ci, ...,Cp}): 

tl^r+i =^ ((AC)) (^s) U (a V EX (s A EX ^Vr))- 
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Then, writing fj for the state-based strategy associated to vj: 

Lemma 3.11. For any r < p and t>r, the following statements are equivalent: 
(a) ^t; 

(h) the strategies fx witness the fact that q^ \= ipti 
(c) variable Zr evaluates to true in vj. 

Proof. We prove by induction on r that imphes ^ and that ^ impUes (EP, the last 
impUcation being obvious. For r = 1, since no s-state is reachable, it amounts to the 
previous proof of NP-hardness. 

Assume the result holds up to index r. Then, if qr+i \= ipt+i for some t > r, we pick a 
strategy for coalition AC witnessing this property. Again, we consider the different possible 
choices available to player D: 

• if player D chooses to go to one of qu and g^, with u < r + 1: the execution ends up in qu 
if player Cu chose to set Zu to true. But in that case, formula ipt+i still holds in qu, which 
yields by i.h. that z^ really evaluates to true in vj. Conversely, the execution ends up 
in q^ if player C„ set Zu to false. In that case, we get that qu \= "'V'tj with t > u, which 
entails by i.h. that Zu evaluates to false. 

This first case entails that player Ci to Cr chose the correct value for variables zi to Zr- 

• if player D chooses a set of eight states corresponding to a clause Sl_^_-^^, then the strategy 
of other players ensures that the execution will reach a state labeled with a. As in the 
previous reduction, this indicates that the corresponding clause has been made true by 
the choices of the other players. 

Putting all together, this proves that variable Zr+i evaluates to true. 

Now, if variable Zr+i evaluates to true. Assume the players in AC play according to 
valuation /j. Then 

• if player D chooses to go to a set of states that correspond to a clause of (pr+i , he will 
necessarily end up in a state that is labeled with a, since the clause is made true by the 
valuation we selected. 

• if player D chooses to go to one of qu or 7^^, for some Zi, then he will challenge player Bu 
to prove that his choice was correct. By i.h., and since player Bu played according to fx, 
formula (-is) U (a V EX (s A EX -i-i/^t+i)) will be satisfied, for any t > u. □ 

We end up with the precise complexity of ATL model-checking on ATSs: 

Theorem 3.12. Model checking ATL on ATSs is -complete. 

3.4. Beyond ATL. As for classical branching-time temporal logics, we can consider several 
extensions of ATL by allowing more possibilities in the way of combining quantifiers over 
strategies and temporal modalities. We define ATL* |AHK02j as follows: 

Definition 3.13. The syntax of ATL* is defined by the following grammar: 

ATL* 3 ips,^s ■■= T I P I -^ips \ips\/^ps\ {{A)) tpp 

LPp,il)p ::= (/Js I I (/Jp V V'p I X I (/?p U V'p 
where P and A range over AP and 2^9', resp. 
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The size and DAG-size of an ATL* formula are defined in the same way as for ATL. 
ATL* formulae are interpreted over states of a game structure S, the semantics of the main 
modalities is as follows (if p = ioii . . ., we write for the i + 1-st suffix, starting from 

e {{A)) ifp iff 3Fa G Strat(A) . Vp G Out(A Fa). pH^p, 

p \=s iff p[0] \=S 

p 1=5 X(/?p iff p^ Vp, 

p\=s ^p^ ipp iff p' [=5 tpp and VO < j < i. p' \=s (fp 

ATL is the fragment of ATL* where each modality U or X has to be preceded by a 
strategy quantifier ((A)) . Several other fragments of ATL* are also classically defined: 

• ATL"^ is the restriction of ATL* where a strategy quantifier ((A)) has to be inserted between 
two embedded temporal modalities U or X but boolean combination are allowed. 

• EATL extends ATL by allowing the operators ((A)) G F (often denoted as ((A)) F ) and 
((A)) F G (often written ((A)) G). They are especially useful to express fairness properties. 

For instance, 



((A)) (^F Pi A F Pa A P3V is in ATL+, 
((A)) F (Pi A ((A')) F P2) is in EATL, 
((A)) (f Pi a P2 U (P3 A F P4)) is in ATL* . 



3.4.1. Model checking ATL . First note that ATL extends ATL and allows to express proper- 
ties with more succinct formulae |Wil99l lAIOlj but these two logics have the same expressive 
power: every ATL"*" formula can be translated into an equivalent ATL formula [HRS02j . 

The complexity of model checking ATL"*" over ATSs has been settled Ag-complete 
in [Sch04j . But the A^-hardness proof of [Sch04j is in LOGSPACE only w.r.t. the DAG- 
size of the formula. Below, we prove that model checking ATL"^ is Ag-complete (with the 
classical definition of the size of a formula) for our three kinds of game structures. 

Proposition 3.14. Model checking ATL^ can be achieved in A3 on implicit CGSs. 

Proof. A A3 algorithm is given in [Sch04j for explicit CGSs. We extend it to handle 
implicit CGSs: for each subformula of the form ((A)) ip, guess (state-based) strategies for 
players in A. In each state, the choices of each player in A can be replaced in the transition 
functions. We then want to compute the set of states where the CTL^ formula Aip holds. 
This can be achieved in Ag [CE S861 ILMSOlj . but requires to first compute the possible 
transitions in the remaining structure, i.e., to check which of the transition formulae are 
satisfiable. This is done by a polynomial number of independent calls to an NP oracle, and 
thus does not increase the complexity of the algorithm. □ 

Proposition 3.15. Model checking ATL^ on turn-based two-player explicit CGSs is A3- 
hard. 

Proof. This reduction is a quite straightforward extension of the one presented in [LMSOl] 
for CTL"*". In particular, it is quite different from the previous reductions, since the boolean 
formulae are now encoded in the ATL^ formula, and not in the model. 
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We encode an instance X of SNSAT2, keeping the notations used in the proofs of 
Prop. [331 (for the SNSAT2 problem) and l3.10] (for clause numbering). Fig. [3] depicts the turn- 
based two-player CGS C associated to X. States s\ to Sm are labeled by atomic proposition s, 




controlled by player A controlled by player B 



Figure 3: The CGS C 

states zT to are labeled by atomic proposition and the other states are labeled by their 
name as shown on Fig. [3l 

The ATL^ formula is built recursively, with V'o = T and 

Vfc+i = ((^)) [G A G (z ^ EX {s A EX -^fc)) A /\ [(F z^) ^ /\ V F l^^^W 

w<p i<"fc<3 

where lii^ = v when s't!' = v and aii^ = 1, and li/' = v when sii^ = v and aiu^ = 0. We 
then have: 

Lemma 3.16. For any r < p and t > r, the following statements are equivalent: 
(a) Zr\= ipt; 

(h) the strategies fx witness the fact that \= ipt; 
(c) variable Zr evaluates to true in vj. 

When r = 1, since no s- or z-state is reachable from zi, the fact that zi \= "ipt, with t > 1, 
is equivalent to zi \= {{A)) f\ - \/^, F . This in turn is equivalent to the fact that zi 
evaluates to true in X. 

We now turn to the inductive case. If z^+i \= V't+i with t > r, consider a strategy for A 
s.t. all the outcomes satisfy the property, and pick one of those outcomes, say p. Since it 
cannot run into any s-state, it defines a valuation Vp for variables zi to Zr+i and x\ to xj^ in 
the obvious way. Each time the outcome runs in some z^-state, it satisfies EX (s A EX-i/'j). 
Each time it runs in some z^-state, the suffix of the outcome witnesses formula V't+i in ^u- 
Both cases entail, thanks to the i.h., that Vp{zu) = vx{zu) for any u < r + \. Now, the 
subformula Ato[(F -^w) ~^ Aj<n V ko^^'u''^' when w = r + 1, entails that ipr+i is indeed 
satisfied whatever the values of the y^+i's, i.e., that Zr+i evaluates to true in X. 

Conversely, if Zj. evaluates to true, then strategy fx clearly witnesses the fact that ipt 
holds in state Zr. □ 

As an immediate corollary, we end up with: 

Theorem 3.17. Model checking ATL^ is A^-complete on ATSs as well as on explicit CGSs 
and implicit CGSs. 
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3.4.2. Model^ checking EATL. In the classical branching-time temporal logics, adding the 
modality EF to CTL increases its expressive power (see |Eme90) ). this is also true when 
considering alternating-time temporal logics, as we will see in Section [4.2.21 

From the theoretical-complexity point of view, there is no difference between ATL and 
EATL: 

Theorem 3.18. Model checking EATL is: 

• PTlME-complete over explicit CGSs; 

• f^^- complete over ATSs; 

• -complete over implicit CGSs. 

Proof. We extend the model-checking algorithm for ATL. This is again achieved by express- 
ing modalities {{A)) F and {{A} G as fixpoint formulas [dAHMOl] : 

oo 

{{A)) Fp EE uy.fix. ( ((.4)) X (x) V (p A {{A)) X (y))) 

{{A} Gp^ iiy.ux. ( ((.4)) X (x) ^{p^J {A)) X [y))) 

Computing these fixpoints can again be achieved by a polynomial number of computa- 
tions of CPre. 

Hardness directly follows from the hardness of ATL model checking. □ 

3.4.3. AJ'U' model- checking. When considering ATL* model checking, the complexity is the 
same for explicit CGS, implicit CGS and ATS since it mainly comes from the formula to 
be checked: 

Theorem 3.19. Model checking AJ'U' is 2EXPT\ME-complete on ATSs as well as on explicit 
CGSs and implicit CGSs. 

Proof. We extend the algorithm of [AHK02j . This algorithm recursively labels each location 
with the subformulae it satisfies. Formulas ((^)) -0, with tp £ LTL, are handled by building a 
deterministic Rabin tree automaton for tp, and a Biichi tree automaton Ac, a recognizing 
trees corresponding to the sets of outcomes of each possible strategy of coalition A in the 
structure C. We refer to [AHK02j for more details on the whole proof, and only focus on 
the construction of Ac,a- 

The states of Ac,a are the states of C. From location i, there are as many transitions 
as the number of possible joint moves m = (m^.)yi.g^ of coalition A. Each transition is a 
set of states that should appear at the next level of the tree. Formally, given p S 2^'^, 

6{£,p) = {Next{£,A,m) \ m = {niAjA^eA with VA, G A. tua, G Mov(^, Aj)} 

when p = Lab(£), and S{i,p) = otherwise. 

For explicit CGSs, this transition function is easily computed in polynomial time. 
For ATSs and implicit CGSs, the transition function is computed by enumerating the (ex- 
ponential) set of joint moves of coalition A (computing Next(^,^,m) is polynomial once the 
joint move is fixed). 

Computing Ac,A can thus be achieved in exponential time. Testing the emptiness of the 
product automaton then requires doubly-exponential time. The whole algorithm thus runs 
in 2EXPTIME. The lower bound directly follows from the lower bound for explicit CGSs. 

□ 
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Let US finally mention that our results could easily be lifted to Alternating-time /i- 
calculus (AMC) |AHK02j : the PTIME algorithm proposed in |AHK02j for explicit CGSs, 
which again consists in a polynomial number of computations of CPre, is readily adapted 
to ATSs and implicit CGSs: as a result, model checking the alternation-free fragment has 
the same complexities as model checking ATL, and model checking the whole AMC is in 
EX PTIME for our three kinds of models. 

4. Expressiveness 

We have seen that the ability of quantifying over the possible strategies of the agents 
increases the complexity of model checking and makes the analysis more difficult. 

We now turn to expressivity issues. We first focus on translations between our different 
models (explicit CCS, implicit COS and ATS). We then consider the expressiveness of 
"Until" and "Always" modalities, proving that they cannot express the dual of "Until". 

4.1. Comparing the expressiveness of CGSs and ATSs. We prove in this section that 
CGSs and ATSs are closely related: they can model the same concurrent games. In order 
to make this statement formal, we use the following definition: 

Definition 4.1 ( [AHK V98] ) . Let A and B be two models of concurrent games (either ATSs 
or CGSs) over the same set Agt of agents. Let R C Loc^ x LoCg be a (non-empty) relation 
between states of A and states of B. That relation is an alternating bisimulation when, for 
any € R, the following conditions hold: 

. Lab^(£) = LabB(f ); 

• for any coalition A C Agt, we have 

Vm: A-^ M0V^(^, A). 3m': A ^ M0VB(f,^). 

Vg' € Mext{i',A,m'). 3q € Mext{£,A,m). {q,q') G R. 

• symmetrically, for any coalition A C Agt, we have 

Vm': A ^ M0Vb(/, A). 3m: A ^ Mov^(^,^). 

Vg e Next(^,yl,m). 3q' G Next(/, ^, m'). {q,q') G R. 

where Next(^, A, m) is the set of locations that are reachable from i when each player Ai ^ A 
plays m{Ai). 

Two models are said to be alternating-bisimilar if there exists an alternating bisimula- 
tion involving all of their locations. 

With this equivalence in mind, ATSs and CGSs (both implicit and explicit ones) have 
the same expressive poweiQ: 

Theorem 4.2. (1) Any explicit CGS can he translated into an alternating-bisimilar 
implicit one in linear time; 

(2) Any implicit CGS can be translated into an alternating-bisimilar explicit one in 
exponential time; 

(3) Any explicit CGS can be translated into an alternating-bisimilar ATS in cubic time; 
^The translations between ATSs and explicit CGSs was already mentionned in [GJ04] . 
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(4) Any ATS can be translated into an alternating-bisimilar explicit CGS in exponential 
time; 

(5) Any implicit CGS can he translated into an alternating-bisimilar ATS in exponential 
time; 

(6) Any ATS can be translated into an alternating-bisimilar implicit CGS in quadratic 
time; 

Figure H] summarizes those results. From our complexity results (and the assumption 
that the polynomial-time hierarchy does not collapse), the costs of the above translations 
is optimal. 




explicit CGS I ((2]) exponential implicit CGS | 



Figure 4: Costs of translations between the three models 



Proof. Points [H [21 and S] are reasonnably easy. 

For point m it suffices to write, for each possible next location, the conjunction (on each 
agent) of the disjunction of the choices that contain that next location. For instance, if we 
have Mov^(£o,^i) = {{4, ^2}, {4, ^3}} and Mov^(£o, ^2) = {{^2, 4}, {4}} in the ATS A, 
then each player will have two choices in the associated CGS B, and 

/ (Ai = lV^i = 2)A(^2 = 2), 4 \ 
Edgi5(4) = (^1 = 1) A {A2 = 1), i2 

\ (^1 = 2) A {A2 = 1), h I 

Formally, let A = (Agt, Loc^, AP, Lab^, Mov^) be an ATS. We then define B = 
(Agt, Loce, AP, Labg, Movg, Edg^) as follows: 

• Locb = Loc^, Labs = Lab^; 

• Movgi^xyl, ^[l,|Mov^(^,Ai)|]; 

• Edg^ is a function mapping each location £ to the sequence {{^£> ,i'))e.i£LocA (^^^ order is 
not important here, as the formulas will be mutually exclusive) with 

yligAgt \£' appears in the j-th / 
set of M0Vyi(f,Ai) 

Computing Edg^ requires quadratic time (more precisely O([L0Cyi| x |Mov^|)). It is now 
easy to prove that the identity Id C Loc^ x LoCg is an alternating bisimulation, since there 
is a direct correspondance between the choices in both structures. 

We now explain how to transform an explicit CGS into an ATS, showing point [3l 
Let A = (Agt, LOC^, AP, Lab^, Mov^, Edg^) be an explicit CGS. We define the ATS B = 
(Agt, L0C5, AP, Labg, Movg) as follows (see Figure[5]for more intuition on the construction): 
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• LoCb C Loc^ X Loc^ X N'', where k = |Agt|, with . . . ,mAj € LoCg iS £ = 

• LabB(£, f , TTiAi , . . . , m^J = Lab^(^); 

• From a location q = {i, i', m^^, . . . , rnA^), player Aj has |Mov_4(£, possible moves: 
M0VB(g,Aj) = {{(/', £,m'^^,...,m^^, =i,...,m^J | m'^^ G Mov^(f , A„) 

and/' = Edg^(^,mAi,...,mA^- =i, ...,mAj} | i G Mov^(^, 

This ATS is built in time 0(|Loc^p ■ |Edg_4|). It remains to show alternating bisimilarity 
between those structures. We define the relation 

R = {{£,{£, e',mA,,...,mA^)) \ ^ G Loc^, (£, f , m^i , • • • , ^aJ) G LoCg}. 

It is now only a matter of bravery to prove that R is an alternating bisimulation between A 
and B. 

Point [5] is now immediate (through explicit CGSs), but it could also be proved in a 
similar way as point El □ 

Let us mention that our translations are optimal (up to a polynomial): our exponential 
translations cannot be achieved in polynomial time because of our complexity results for 
ATL model-checking. Note that it does not mean that the resulting structures must have 
exponential size. 

Moves from location A: 




Player 1 


move 1 
move 2 
move 3 


{ba,l,l, da,l,2, da,l,3} 
{Ca,2,2, Ca,2,3,da,2,l} 
{«a,3,l; C?a,3,2, da,3,3} 



Player 2 


move 1 
move 2 
move 3 


{aa,3,l' ^(1,1,1) ^^1,2,1} 
{Co,2,2, C^a,l,2, <^a,3,2} 
{Ca,2,3) da,l,3,da,3,3} 



Figure 5: Converting an explicit CGS into an ATS 



4.2. Some remarks on the expressiveness of ATL. 

4.2.1. ((A)) R cannot be expressed with ((A)) U and ([A)) G . In the original papers defin- 
ing ATL [AHK97[ IAHK02j , the syntax of that logic was slightly different from the one we 
used in this paper: following classical definitions of the syntax of CTL, it was defined as: 

ATLorig 9 V's, ::= T | p | -^ips \ (fs^i^s \ i^)) 
ipp ::= X(^s I G(ps I ipsVil^s- 
Duality is a fundamental concept in modal and temporal logics: for instance, the dual 

def 

of modality U, often denoted by R and read release, is defined by pRg = -'{{-'p) U {-'q))- 
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Dual modalities allow, for instance, to put negations inner inside the formula, which is often 
an important property when manipulating formulas. 

In LTL, modality R can be expressed using only U and G: 

p'Rq = Gqy q\J (pAq). (4.1) 

In the same way, it is well known that CTL can be defined using only modalities EX, EG 
and EU, and that we have 

BpKq= EGqV EqlJ {p A q) ApKq = ^'E{^p)V {^q). 

It is easily seen that, in the case of ATL, it is not the case that ^A])p'Rq is equivalent 
to ({A)) Gqy (lA)) q\J (pAq): it could be the case that part of the outcomes satisfy G q and 
the other ones satisfy q\J {p A q). In fact, we prove that ATLorig is strictly less expressive 
than ATL: 

Theorem 4.3. There is no ATLorig formula equivalent to ^ = ((yl)) (aR6). 

The proof of Theorem 14.31 is based on techniques similar to those used for proving 
expressiveness results for temporal logics like CTL or ECTL [Eme90| : we build two families 
of models (sj)jgN and (s^)jgN s.t. (1) Sj Y= (2) s[ \= ^ for any i, and (3) Si and satisfy 
the same ATLorig formula of size less than i. Theorem 14.31 is a direct consequence of the 
existence of such families of models. In order to simplify the presentation, the theorem is 
proved for formulji $ = {{A)) (&R (a V b)). 

The models are described by one single inductive CGSH C, involving two players. It is 
depicted on Fig. [6l A label (a, (3) on a transition indicates that this transition corresponds 




Figure 6: The CGS C, with states Si and on the left 

to move a of player Ai and to move f3 of player A2. In that CGS, states Si and s[ only 
differ in that player Ai has a fourth possible move in s[. This ensures that, from state 
(for any i), player Ai has a strategy (namely, he should always play 4) for enforcing a W6. 

''This formula can also be written ((A)) a W b, where W is the "weak until" modality. 
^Given the translation from CGS to ATS (see Section [4. ip . the result also holds for ATSs. 
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But this is not the case from state sf. by induction on i, one can prove Si ^ ((^i)) a W6. 
The base case is trivial. Now assume the property holds for i: from Sj+i, any strategy for 
Ai starts with a move in {1, 2, 3} and for any of these choices, player A2 can choose a move 
(2, 1 and 2 resp.) that enforce the next state to be Si where by i.h. Ai has no strategy 
for aW6. 

We now prove that Si and s[ satisfy the same "small" formulae. First, we have the 
following equivalences: 

Lemma 4.4. For any i > 0, for any ip G ATLorig with I'i/'l < i: 



Proof. The proof proceeds by induction on i, and on the structure of the formula ^. 

Base case: i = 1. Since we require that I?/'! < i, ip can only be an atomic proposition. The 
result is then obvious. 

Induction step. We assume the result holds up to some i — \ > 1, and prove that it then 
still holds for i. Let ■0 s-t. \'4>\ < i- We now proceed by structural induction on ip: 

• The result is again obvious for atomic propositions, as well as for boolean combinations 
of subformulae. 

• Otherwise, the "root" combinator of "0 is a modality. If it is a CTL modality, the results 
are quite straightforward. Also, since there is only one transition from 6j, any ATLorig 
modality can be expressed as a CTL modality in that state, and (14. 2p follows. 

• If = ((^1)) X-^i: Assume Sj \= ip. Then, depending on the strategy, either bi and Si-i, 
or ai and or Sj and Sj_i, should satisfy ipi. By i.h., this propagates to the next level, 
and the same strategy can be mimicked from Sj+i. 

The converse is similar (hence (14. 3p ). as well as the proof for ()4.4p . 

• If -0 = ((^1)) Gipi: If Si \= Tp, then Si, thus Sj+i, satisfy ipi. Playing move 3 is a strategy 
for player Ai to enforce Gipi from Sj+i, since the game will either stay in Sj+i or go to Sj, 
where player A has a winning strategy. 

The converse is immediate, as player Ai cannot avoid Si when playing from Sj+i. 
Hence (j43]l for ((Ai)) G -formulae. 

If 1= tp, then both and s[_^_l satisfy tpi. Also, player Ai cannot avoid the play to go 
in location Thus, |= ipi — and by i.h., so does Sj — and Si \= tp, as above. Now, 
following the same strategy in as the winning strategy of s[ clearly enforces Gtpi. 
The converse is similar: it suffices to mimic, from s-, the strategy witnessing the fact 
that s[_^_^ \= ip. This proves (|4.4p . and concludes this case. 

• liip = ([AiJ) ^pl XJ 'ip2- If Si \= tp, then either ■ip2 or ^pl holds in Si, thus in Sj+i. The former 
case is trivial. In the latter, player Ai can mimic the winning strategy in Sj+i: the game 
will end up in Si, with intermediary states satisfying ipi (or 'tp2), and he can then apply 
the original strategy. 

The converse is obvious, since from Sj+i, player Ai cannot avoid location Si, from which 
he must also have a winning strategy. 

If s[ \= ip, omitting the trivial case where satisfies ^p2, we have that Si-i \= tp. Also, a 
(state-based) strategy in s- witnessing ip necessary consists in playing move 1 or 2. Thus 



bi\=i^ W bi+i \= ^P 
Si\=i^ W Si+i \= Ip 
s'ihi^ iff s'i+i N ■0 



(4.2) 
(4.3) 
(4.4) 
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ai and bi satisfy ip, and the same strategy (move 1 or 2, resp.) enforces Gipi from Sj. It 
is now easy to see that the same strategy is correct from s-^^^. Conversely, apart from 
trivial cases, the strategy can again only consist in playing moves 1 or 2. In both cases, 
the game could end up in s,, and then in Si-i. Thus Sj_i |= tp, and the same strategy as 
in s^_^_^ can be applied in s'^ to witness ^p. 

• The proofs for ((^2)) X'f/'i, ((^2)) Gipi, and ((^2)) ipi ^ ip2 are very similar to the previous 
ones. □ 

Lemma 4.5. V-i > 0, V^/^ G ATLorig with IV'I < i: Si\= -ip iff s[\= ip. 

Proof. The proof proceeds by induction on i, and on the structure of the formula ip. The 
case i = 1 is trivial, since si and s'^ carry the same atomic propositions. For the induction 
step, dealing with CTL modalities (((0)) and ((^1, ^2))) is also straightforward, then we just 
consider ((^1))- and ((A2))-modalities. 

First we consider ((^i))-modalities. It is well-known that we can restrict to state-based 
strategies in this setting. If player Ai has a strategy in Si to enforce something, then he can 
follow the same strategy from s[ . Conversely, if player Ai has a strategy in s[ to enforce some 
property, two cases may arise: either the strategy consists in playing move 1, 2 or 3, and 
it can be mimicked from Sj. Or the strategy consists in playing move 4 and we distinguish 
three cases: 

• = ((^1)) X V'l • that move 4 is a winning strategy entails that s^, Oj and bi must satisfy ipi . 
Then Sj (by i.h. on the formula) and Si-i (by Lemma [4.4p both satisfy ipi. Playing move 1 
(or 3) in Sj ensures that the next state will satisfy V'l- 

• ip = {{Ai} G^i: by playing move 4, the game could end up in Si-i {via bi), and in Oj 
and S'. Thus Sj_i |= Tp, and in particular ipi. By i.h., Si \= ^Ji, and playing move 1 (or 3) 
in Si, and then mimicking the original strategy (from s'^), enforces GV'i- 

• ip = ((Ai)) ipi U ip2- a strategy starting with move 4 implies s'^ \= ip2 (the game could stay 
in for ever). Then Si \= ip2 by i.h., and the result follows. 

We now turn to ((^2)) -modalities: clearly if ((^2)) V"! holds in s[, it also holds in Sj. Con- 
versely, if player A2 has a (state-based) strategy to enforce some property in s^: If it consists 
in playing moves 1 or 3, then the same strategy also works in s[. Now if the strategy starts 
with move 2, then playing move 3 in s'^ has the same effect, and thus enforces the same 
property. □ 

Remark 4.6. ATLorig and ATL have the same distinguishing power as the fragment of ATL 
involving only the (( • )) X modality (see [AHKV98t proof of Th. 6]). This means that we 
cannot exhibit two models M and M' s.t. (1) M ^ (2) M' ^ and (3) M and M' 
satisfy the same ATLorig formula. 

Remark 4.7. In |AHK02j . a restriction of COS — the turn-based CGSs — is considered. 
In any location of these models (named TB-CGS hereafter), only one player has several 
moves (the other players have only one possible choice). Such models have the property 
of determinedness: given a set of players A, either there is a strategy for A to win some 
objective or there is a strategy for other players (Agt\^) to enforce In such systems, 
modality R can be expressed as follows: ({A)) ipYiip =xb-cgs ((Agt\yl)) (-"Z?) U (^tp). 
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4.2.2. ((A)) G J^nd ([A]) F cannot be expressed in ATL. It is well known that ECTL formulae 
of the form EF P (and its dual AG P) cannot be expressed in CTL |Eme90] . On the other 
hand, the following equivalences hold: 

oo oo 

EG P = EF EG P AF P = AG AF P. 

oo oo 

The situation is again different in ATL: neither ([A)) F nor ([A)) G are expressible 
in ATL. Indeed, assume that ((A)) F could be expressed by the ATL formula This holds 
in particular in 1-player games (i.e., Kripke structures). In the casejvhere coalition A 
contains the only player, we would end up with aJDTL equivalent of EF , which is known 
not to exist. A similar argument applies for ((vl)) G . 

5. Conclusion 

In this paper, we considered the basic questions of expressiveness and complexity of ATL. 
We precisely characterized the complexity of ATL, ATL"*", EATL and ATL* model-checking, 
on both ATSs and CGSs, when the number of agents is not fixed. These results complete 
the previously known results about these formalisms (and corrects some of them). It is 
interesting to see that their complexity classes (Ag or Ag ) are unusual in the area of model- 
checking. We also showed that ATL, as originaly defined in |AHK97t IAHK981 E1IK02] . is 
not as expressive as it could be expected, and we argue that the modality "Release" should 
be added in its definition. 
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